NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2005-q1

Re: [suse-security] Question About Sys/Sec Logs

From: Carlos E. R. (robin1.listastiscali.es)
Date: Tue Mar 15 2005 - 06:33:54 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Monday 2005-03-14 at 14:33 -0500, Don Parris wrote:

> In my syslog (via Yast) I found the following entries:
>
> (020405B401010402)
> Mar 14 08:04:42 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC=
> SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48
> ID=41916 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A032FB2830000000001030300) Mar 14 08:04:44 luke sshd[26285]:
> Invalid user test from ::ffff:218.153.147.92 Mar 14 08:04:45 luke kernel:
> SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180
> LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=27312 DF PROTO=TCP SPT=34740 DPT=22
> WINDOW=5840 RES=0x00 SYN URGP=0 OPT

It is a known attempt to login into your machine, probably automated,
trying to learn first if certain common user names do exist in your
machine: test, guest, admin, user, etc. Then, if they think that such a
user name exists, they will try to guess the password. Your system
rejected those attempts.

It seems they learn of the existence of those users because the sshd
daemon answers with different delays depending on the user name existence.

This was solved by a patch, reported in suse-security-announce on
18 Feb 2005:

- openssh information leak

     Openssh as shipped with SUSE Linux allows a possible timing
     attack that could be abused remotely to determine existing users
     on the system by watching replies to failed password attempts.

This is tracked by the Mitre CVE ID CAN-2003-0190.

     Additionally the output of failing PAM sessions will now be
     displayed and the terminal-setting for aborted login-sessions
     will get restored correctly.

This bugfix was released for SUSE Linux 9.1, 9.2 and SUSE Linux
Enterprise Server 9.

--
Cheers,
Carlos Robinson

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]